The ICAP agent is configured to work automatically with Blue Coat ProxySG ICAP clients. But if you are using a different proxy server or if you use an alternate configuration, you need to configure the ICAP agent. To do this, edit values in this registry key:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates
\CA DataMinder\CurrentVersion\ICAP
This registry key contains the following registry values:
Type: REG_DWORD
Data: Defaults to 1344. This registry value specifies the port used by the ICAP client and server (that is, the ICAP agent) to communicate ICAP requests and responses.
Note: If you change the port value, you must restart the PE hub.
Type: REG_DZ
Data: Defaults to ‘auto’. This registry value specifies the encoding scheme for the user name in the ICAP message.
Supported values are auto, base64, and none:
The ICAP Agent automatically tries to detect whether the authenticated user information is base64 encoded. Choose the 'auto' option in situations where the user information passed to the ICAP agent can be either base64 encoded or plain text.
If the ICAP agent confirms that:
Important! The 'auto' option does not work if the authenticated user name has an ambiguous format.
User names with ambiguous formats
If the agent receives user information that contains characters that cannot occur in valid base64 encoding (such as colons and backslashes), the agent immediately confirms that the user information is not base64 encoded.
However, if the user information contains only characters that are valid in base64 encoding, the format is ambiguous. The ICAP agent cannot determine whether the user information is base64 encoded or in plain text and so assumes that it is base64 encoded. Valid characters in base64 encoding are limited to letters, digits, and '+' and '/' characters.
In particular, if user information is passed to the ICAP agent in domain/username format, the 'auto' option does not work. For example, the following user name is valid as both plain text and base64 encoded:
"unipraxis/srimmel"
Conversely, the 'auto' option does work correctly if the ICAP agent receives user information that uses the following formats:
"LDAP://10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=unipraxis,DC=com" "WinNT://unipraxis/srimmel" "unknown://unipraxis\srimmel" "unknown://srimmel@unipraxis.com" "unknown://CN=Spencer Rimmel,CN=Users,DC=unipraxis,DC=com" "srimmel@unipraxis.com" "unipraxis\srimmel" "CN=Spencer Rimmel,CN=Users,DC=unipraxis,DC=com"
Note: If you see multiple E3F23 errors in the ICAP agent log, the ICAP agent is failing to correctly parse user information in plain text. You must therefore change AuthenticatedUserEncoding to 'none'.
Specifies a base64 encoding scheme on the proxy server. Choose this option if the user information passed to the ICAP agent is always base64 encoded.
Choose this option if the user information passed to the ICAP agent is always in plain text.
Type: REG_DZ
Data: Defaults to X-Authenticated-User. This value is the default for Blue Coat ProxySG servers.
This registry value specifies the ICAP x-header that contains the user credentials. Policy engines use these credentials to map the user to a CA DataMinder user account. If you use a different proxy server, you must set this value to identify the ‘user credentials’ header used by that proxy server.
Type: REG_DZ
Data: Defaults to auto. This registry value specifies what type of user information is included in the AuthenticatedUserHeader x-header. Policy engines use this ‘user type’ information to determine the user policy to use when processing the data. Supported values are auto, DN, user, and SMTP:
The ICAP agent tries to detect the format automatically and extract the user information. The agent can detect distinguished names, ‘domain\user’ names, and SMTP email addresses.
The agent detects user information prefixed with any of the following Blue Coat ProxySG prefixes: LDAP, WinNT, and ‘unknown’. For example:
LDAP://10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com WinNT://unipraxis/srimmel unknown://srimmel@unipraxis.com
The agent also detects user information without the prefixes listed above. For example:
10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com unipraxis/srimmel srimmel@unipraxis.com
DN is for Blue Coat ProxySG servers that use LDAP authentication. DN indicates that AuthenticatedUserHeader is populated with the user’s DN entry in the LDAP directory. For example:
LDAP://10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com 10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com unknown://CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com
user is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed 'domain\user' user credentials. The Blue Coat IWA and Windows SSO authentication methods generate these credentials. For example:
unknown://unipraxis\srimmel unknown://unipraxis/srimmel unipraxis\srimmel unipraxis/srimmel
SMTP is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed SMTP email addressesThe Blue Coat Policy Substitution authentication method generates these addresses. For example:
unknown://srimmel@unipraxis.com srimmel@unipraxis.com
Type: REG_DWORD
Data: Defaults to 2. This specifies how ICAP messages passed to the ICAP agent are stored in the specified DiagnosticFolder (see below). Supported values are:
0 Do not write any messages to the diagnostic folder.
1 Dump every message to the diagnostic folder. Only use this value if directed to do so by CA Support.
2 Only write messages to the diagnostic folder if a processing error occurs.
If no diagnostic folder is specified (that is, if DiagnosticFolder is blank), no ICAP messages are written, regardless of what value CreateICAPMsg is set to.
Type: REG_DZ
Data: Defaults to X-Client-IP, the default value for Blue Coat ProxySG servers. This registry key value specifies the portion of the HTTP header that contains the IP address of the user system. If using a different proxy server, you may need to modify this value.
Type: REG_DZ
Data: No default value. This specifies the folder into which ICAP messages passed to the ICAP agent are saved for diagnostic purposes. The level of saved messages is set by CreateICAPMsg (see above).
You may be asked to modify this value by CA Support.
Type: REG_DWORD
Data: Defaults to 1. This determines whether the ICAP agent connects to a local policy engine hub. Do not change this value.
Type: REG_DWORD
Data: Defaults to 2. This determines the level of logging for the ICAP server. For example, you can configure the ICAP server to only log errors or important system messages.
Log entries are written to the WgnICAP_<date>.log file, where <date> is the date and time when the log file was created; the file is located in CA DataMinder's \data\log subfolder of the Windows All Users profile; see Viewing log files. The supported logging levels are:
1 Errors only
2 Errors and warnings
3 Errors and warnings, plus informational and status messages
Note: Setting LogLevel=3 will cause the log file to grow extremely rapidly. This level of logging is provided for testing and diagnostic purposes only. For example, it shows storage and retrieval on every resource item.
Type: REG_DWORD
Data: Defaults to 50. This specifies the maximum size (in MB) of message to be processed by the ICAP agent. Messages larger than this are allowed, but not processed; an entry is written to the log file indicating that a message exceeded the maximum size and was allowed.
To avoid unnecessary delays, ensure that this maximum file size threshold matches or is less than the Maximum Size of Files (KB) setting in the user policy (which also defaults to 50 MB). This prevents very large files being sent for policy processing by the ICAP agent, only to be rejected if they exceed the user policy-defined threshold.
Type: REG_DZ
Data: Specifies the name and path to the HTML template file that contains the notification message shown to users for HTTP responses from Web sites as a result of policy processing. This registry value defaults to:
C:\Program Files\CA\CA DataMinder\client\ResponseTemplate.html
This default template is very generic. It contains variables for the message text issued by the policy engine. If required, you can modify the template content and the file name and location to meet your organization’s needs.
Type: REG_DZ
Data: Specifies the HTML template file that contains the notification message shown to users for HTTP requests as a result of policy processing. This registry value defaults to:
C:\Program Files\CA\CA DataMinder\client\RequestTemplate.html
This default template is very generic. It contains variables for the message text issued by the policy engine. If required, you can modify the template content and the file name and location to meet your organization’s needs.
Type: REG_DWORD
Data: Defaults to 0. Enables administrators to update the ICAP agent configuration. Set to 1 to force the ICAP agent to re-read the registry. When the ICAP agent has accepted the changes, it automatically resets this value to 0.
|
Copyright © 2014 CA.
All rights reserved.
|
|